RHEL 6 openssh unpatched vulnerabilit
Reporter | Title | Published | Views | Family All 199 |
---|---|---|---|---|
Tenable Nessus | RHEL 5 : openssh (Unpatched Vulnerability) | 11 May 202400:00 | – | nessus |
Tenable Nessus | RHEL 7 : openssh (RHSA-2017:2029) | 2 Aug 201700:00 | – | nessus |
Tenable Nessus | RHEL 7 : openssh (Unpatched Vulnerability) | 3 Jun 202400:00 | – | nessus |
Tenable Nessus | CentOS 7 : openssh (CESA-2017:2029) | 25 Aug 201700:00 | – | nessus |
Tenable Nessus | RHEL 6 : openssh (Unpatched Vulnerability) | 3 Jun 202400:00 | – | nessus |
Tenable Nessus | SUSE SLED12 / SLES12 Security Update : openssh (SUSE-SU-2019:0132-1) | 22 Jan 201900:00 | – | nessus |
Tenable Nessus | GLSA-201903-16 : OpenSSH: Multiple vulnerabilities | 21 Mar 201900:00 | – | nessus |
Tenable Nessus | SUSE SLED15 / SLES15 Security Update : openssh (SUSE-SU-2019:0126-1) | 22 Jan 201900:00 | – | nessus |
Tenable Nessus | SUSE SLES12 Security Update : openssh (SUSE-SU-2019:0125-1) | 22 Jan 201900:00 | – | nessus |
Tenable Nessus | SUSE SLES11 Security Update : openssh (SUSE-SU-2019:13931-1) | 22 Jan 201900:00 | – | nessus |
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory openssh. The text
# itself is copyright (C) Red Hat, Inc.
##
include('compat.inc');
if (description)
{
script_id(195377);
script_version("1.0");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/11");
script_cve_id(
"CVE-2016-6515",
"CVE-2016-10009",
"CVE-2016-10011",
"CVE-2016-10012",
"CVE-2016-10708",
"CVE-2016-20012",
"CVE-2018-20685",
"CVE-2019-6109",
"CVE-2019-6110",
"CVE-2019-6111",
"CVE-2020-14145",
"CVE-2020-15778",
"CVE-2021-41617",
"CVE-2023-51385",
"CVE-2023-51767"
);
script_name(english:"RHEL 6 : openssh (Unpatched Vulnerability)");
script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat 6 host is affected by multiple vulnerabilities that will not be patched.");
script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by multiple
vulnerabilities that have been acknowledged by the vendor but will not be patched.
- openssh: loading of untrusted PKCS#11 modules in ssh-agent (CVE-2016-10009)
- openssh: scp allows command injection when using backtick characters in the destination argument
(CVE-2020-15778)
- authfile.c in sshd in OpenSSH before 7.4 does not properly consider the effects of realloc on buffer
contents, which might allow local users to obtain sensitive private-key information by leveraging access
to a privilege-separated child process. (CVE-2016-10011)
- The shared memory manager (associated with pre-authentication compression) in sshd in OpenSSH before 7.4
does not ensure that a bounds check is enforced by all compilers, which might allows local users to gain
privileges by leveraging access to a sandboxed privilege-separation process, related to the m_zback and
m_zlib data structures. (CVE-2016-10012)
- sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULL pointer dereference
and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c
and packet.c. (CVE-2016-10708)
- OpenSSH through 8.7 allows remote attackers, who have a suspicion that a certain combination of username
and public key is known to an SSH server, to test whether this suspicion is correct. This occurs because a
challenge is sent only when that combination could be valid for a login session. NOTE: the vendor does not
recognize user enumeration as a vulnerability for this product (CVE-2016-20012)
- The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths
for password authentication, which allows remote attackers to cause a denial of service (crypt CPU
consumption) via a long string. (CVE-2016-6515)
- In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions
via the filename of . or an empty filename. The impact is modifying the permissions of the target
directory on the client side. (CVE-2018-20685)
- An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a
malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client
output, e.g., by using ANSI control codes to hide additional files being transferred. This affects
refresh_progress_meter() in progressmeter.c. (CVE-2019-6109)
- In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious
server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control
codes to hide additional files being transferred. (CVE-2019-6110)
- An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the
server chooses which files/directories are sent to the client. However, the scp client only performs
cursory validation of the object name returned (only directory traversal attacks are prevented). A
malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client
target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as
well (for example, to overwrite the .ssh/authorized_keys file). (CVE-2019-6111)
- The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in
the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts
(where no host key for the server has been cached by the client). NOTE: some reports state that 8.5 and
8.6 are also affected. (CVE-2020-14145)
- sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows
privilege escalation because supplemental groups are not initialized as expected. Helper programs for
AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with group
memberships of the sshd process, if the configuration specifies running the command as a different user.
(CVE-2021-41617)
- In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell
metacharacters, and this name is referenced by an expansion token in certain situations. For example, an
untrusted Git repository can have a submodule with shell metacharacters in a user name or host name.
(CVE-2023-51385)
- OpenSSH through 9.6, when common types of DRAM are used, might allow row hammer attacks (for
authentication bypass) because the integer value of authenticated in mm_answer_authpassword does not
resist flips of a single bit. NOTE: this is applicable to a certain threat model of attacker-victim co-
location in which the attacker has user privileges. (CVE-2023-51767)
Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package
is installed.");
script_set_attribute(attribute:"solution", value:
"The vendor has acknowledged the vulnerabilities but no solution has been provided. Refer to the vendor for remediation
guidance.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-10009");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2020-15778");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vendor_unpatched", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2016/08/01");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/05/11");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:4");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Red Hat Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl", "redhat_repos.nasl");
script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
exit(0);
}
include('rpm.inc');
include('rhel.inc');
if (!get_kb_item("global_settings/vendor_unpatched"))
exit(0, "Unpatched Vulnerabilities Detection not active.");
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');
var os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
os_ver = os_ver[1];
if (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '6')) audit(AUDIT_OS_NOT, 'Red Hat 6.x', 'Red Hat ' + os_ver);
if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);
var constraints = [
{
'pkgs': [
{'reference':'openssh', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'allowmaj':TRUE, 'unpatched_pkg':'openssh'}
]
}
];
var flag = 0;
foreach var constraint_array ( constraints ) {
var repo_relative_urls = NULL;
var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);
foreach var pkg ( constraint_array['pkgs'] ) {
var unpatched_pkg = NULL;
var _release = NULL;
var sp = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var exists_check = NULL;
var cves = NULL;
if (!empty_or_null(pkg['unpatched_pkg'])) unpatched_pkg = pkg['unpatched_pkg'];
if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];
if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
if (unpatched_pkg &&
_release &&
(!exists_check || rpm_exists(release:_release, rpm:exists_check)) &&
unpatched_package_exists(release:_release, package:unpatched_pkg, cves: cves)) flag++;
}
}
if (flag)
{
var extra = NULL;
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : unpatched_packages_report()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'openssh');
}
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo